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DETAILED ACTION 

1 . Applicant's arguments filed July 22, 2005, have been fully considered but they 
are not persuasive. 

2. Claims 1-23 are pending and have been examined. 

Response to Amendment 

3. Regarding the Double Patenting rejection, Examiner directs Applicant's attention 
to pages 2-3 of the prior Office Action where Examiner specifically pointed out the claim 
language on each application that show the rejection is based on the claim language, 
not on the disclosure. 

Examiner has rejected the claims based solely on the language found on the 
claims of the instant application and co-pending application. 

Examiner was not mapping language found on the specification, but rather 
language found in the claims of the instant application to the language of the claims in 
the copending application. 

The Double Patenting rejection is not withdrawn (emphasis added). 

4. Examiner approves the amendment to the specification received on July 22, 
2005. The objection to the specification is withdrawn. 

5. Examiner approves the amendment to the drawings received on July 22, 2005. 
The objection to the drawings is withdrawn. The specific objection to reference 
character 18 being used for both "database" and "HTML" is also withdrawn. 

6. The rejection under 35 U.S.C. 101 is withdrawn. 
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7. Regarding Applicant's argument that Maloney does not teach or suggest the 
claimed feature of "decoding the captured data from a first predetermined format to a 
second predetermined format decipherable by humans", Examiner has given the claims 
the broadest reasonable interpretation consistent with the specification, thus, a parsing 
tool to parse the data and make it available to an analytical engine for analyzing the 
data captured by the discovery tool clearly teach the claimed feature, as someone of 
ordinary skill in the art would. Furthermore, Maloney clearly refers to data on networks, 
packets that are analyzed to determine usage patterns and intrusion events (column 5, 
lines 1-67, column 11, lines 1-67, column 12, lines 1-42). Even assuming arguendo that 
Maloney does not "decode data to a second predetermined format decipherable by 
humans", the term/expression "decipherable by humans" is fairly broad, and does not 
specify what that format is. Some humans may feel more comfortable with certain 
"format" that other humans may find not "decipherable". Thus, given the claims the 
broadest reasonable interpretation consistent with the specification, Maloney does 
teach this feature. 

Double Patenting 

8. Claims 1-8, 9-18, and 20-23 are provisionally rejected under the judicially created 
doctrine of obviousness-type double patenting as being unpatentable over claims 1-8, 
10-19, and 21-24 of copending Application No. 10/001,350. Although the conflicting 
claims are not identical, they are not patentably distinct from each other because the 
subject matter claimed in the instant application is fully disclosed in the referenced 
copending application. 
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This is a provisional obviousness-type double patenting rejection because the 
conflicting claims have not in fact been patented. 

9. The subject matter claimed in the instant application is fully disclosed in the 
referenced copending application and would be covered by any patent granted on that 
copending application since the referenced copending application and the instant 
application are claiming common subject matter, as follows: the copending application 
discloses a method of displaying data, comprising: capturing and decoding data, 
correlating data components, retrieving a web-browser template, and graphically 
displaying the correlated decoded data; the instant application discloses a method of 
displaying data, comprising: capturing and decoding data, correlating data components, 
and graphically displaying the correlated decoded data. 

Claims 1-8, 9-18, and 20-23 of the instant application are envisioned by 
copending Application No. 1 0/001 ,350's claims 1-8, 10-19, and 21-24 in that claims 1-8, 
10-19, and 21-24 of the copending application contain all the limitations of claims 1-8, 9- 
18, and 20-23 of the instant application. Claims 1-8, 9-18, and 20-23 of the instant 
application therefore are not patently distinct from the copending application claims and 
as such are unpatentable for obvious-type double patenting. 
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Claim Rejections - 35 USC § 103 

10. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

11. Claims 1, 5-9, 12-16, and 19-23 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Maloney et al. (US Patent Number: 6,269,447), and further in 
view of Cooper et al. (US Publication Number: 2004/0103315). 

Regarding claim 1, Maloney et al. teach a method of displaying data related to 
an intrusion event on a computer system, comprising: capturing data related to the 
intrusion event (column 4, lines 34-37); decoding the captured data from a first 
predetermined format to a second predetermined format decipherable by humans, the 
decoded data comprising data components of intrusion signature, data summary, and 
detailed data (column 4, lines 34-40); correlating data components of the intrusion 
signature, data summary and detailed data to one another (column 4, lines 53-60). 
Maloney et al. do not expressly disclose retrieving an web browser-based template; and 
graphically displaying the correlated decoded data components using the web browser- 
based template. Maloney et al. teach graphically displaying the correlated data 
components (column 4, lines 47-53), but are not specific as to using a browser. 
However, Cooper et al. teach retrieving an web browser-based template (page 5, 
paragraphs 88-90); and graphically displaying the correlated decoded data components 
using the web browser-based template (page 5, paragraphs 88-90). Therefore, it would 
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have been obvious to one having ordinary skill in the art at the time the invention was 
made to use web browser-based templates to graphically display correlated data. One 
of ordinary skill in the art would have been motivated to do so to provide an end user a 
tool to review reports from the end user's host computer as disclosed by Cooper et al. 
(page 2, paragraph 38, page 5, paragraph 90). 

Regarding claim 5, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Furthermore, Maloney et al. teach 
wherein capturing data comprises capturing network data packets of the intrusion event 
(column 4, lines 34-37, column 7, lines 23-27). 

Regarding claim 6, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Furthermore, Maloney et al. teach 
wherein decoding the captured data comprises decoding the captured data from a 
binary format to a human-readable text format (column 6, lines 8-20). 

Regarding claim 7, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Furthermore, Maloney et al. teach 
wherein decoding the captured data comprises decoding the captured data to decoded 
data having a data link layer protocol header, a network layer protocol header, a 
network layer protocol data summary, and packet data in hexadecimal format (column 
4, lines 24-33, column 7, lines 65-67, column 8, lines 1-12). 

Regarding claim 8, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Furthermore, Maloney et al. teach 
wherein decoding the captured data comprises decoding the captured data to decoded 
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data having an Ethernet header, an IP header, an IP data summary, and packet data in 
hexadecimal format (column 4, lines 24-33, column 7, lines 65-67, column 8, lines 1- 
12). 

Regarding claim 9, Maloney et al. teach a method of displaying data of an 
intrusion detection system, comprising: capturing, from a network, data related to an 
intrusion event in response to detecting an intrusion signature in the network data 
(column 4, lines 34-37); decoding the captured data from a predetermined format to a 
human-readable format, the decoded data comprising data components of network 
header data, data summary, and detailed data (column 4, lines 34-40); determining a 
correlation relationship between the data components of the intrusion signature, 
network header data, data summary and detailed data to one another (column 4, lines 
53-60). Maloney et al. do not expressly disclose displaying the correlated decoded data 
components by using a web browser-based template. Maloney et al. teach graphically 
displaying the correlated data components (column 4, lines 47-53), but are not specific 
as to using a browser. However, Cooper et al. teach displaying the correlated decoded 
data components by using a web browser-based template (page 5, paragraphs 88-90). 
Therefore, it would have been obvious to one having ordinary skill in the art at the time 
the invention was made to use web browser-based templates to graphically display 
correlated data. One of ordinary skill in the art would have been motivated to do so to 
provide an end user a tool to review reports from the end user's host computer as 
disclosed by Cooper et al. (page 2, paragraph 38, page 5, paragraph 90). 
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Regarding claim 12, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 9 above. Furthermore, Maloney et al. 
teach wherein capturing data comprises capturing network data packets of the intrusion 
event in response to detecting the presence of a predetermined data pattern in the 
network data packet (column 4, lines 34-37, column 2, lines 23-33, column 12, lines 21- 
42). 

Regarding claim 13, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 9 above. Furthermore, Maloney et al. 
teach wherein decoding the captured data comprises decoding the captured data from a 
binary format to a text format (column 6, lines 8-20). 

Regarding claim 14, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 9 above. Furthermore, Maloney et al. 
teach wherein decoding the captured data comprises decoding the captured data to 
decoded data having a data link layer protocol header, a network layer protocol header, 
a network layer protocol data summary, and packet data in hexadecimal format (column 
4, lines 24-33, column 7, lines 65-67, column 8, lines 1-12). 

Regarding claim 15, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 9 above. Furthermore, Maloney et al. 
teach wherein decoding the captured data comprises decoding the captured data to 
decoded data having an Ethernet header, an IP header, an IP data summary, and 
packet data in hexadecimal format (column 4, lines 24-33, column 7, lines 65-67, 
column 8, lines 1-12). 
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Regarding claim 16, Maloney et al. teach a system of presenting data of an 
intrusion detection system, comprising: a network driver capturing data related to an 
intrusion event upon detecting a predetermined intrusion signature (column 7, lines 23- 
27, column 2, lines 23-33, column 12, lines 21-42); a decode engine decoding the 
captured data from a predetermined format to a predetermined format decipherable by 
humans, the decoded data comprising data components of intrusion event data, data 
summary, and detailed data (column 4, lines 34-40); and a user interface graphically 
correlating data components of the intrusion signature, intrusion event data, data 
summary and detailed data to one another (column 4, lines 53-60). Maloney et al. do 
not expressly disclose displaying the correlated decoded data components according to 
a web browser-based format. Maloney et al. teach graphically displaying the correlated 
data components (column 4, lines 47-53), but are not specific as to using a browser. 
However, Cooper et al. teach displaying the correlated decoded data components 
according to a web browser-based format (page 5, paragraphs 88-90). Therefore, it 
would have been obvious to one having ordinary skill in the art at the time the invention 
was made to use web browser-based templates to graphically display correlated data. 
One of ordinary skill in the art would have been motivated to do so to provide an end 
user a tool to review reports from the end user's host computer as disclosed by Cooper 
et al. (page 2, paragraph 38, page 5, paragraph 90). 

Regarding claim 19, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 16 above. Furthermore, Cooper et al. 
teach the system, as set forth in claim 16, further comprising a web server operable to 



Application/Control Number: 10/002,064 Page 10 

Art Unit: 2136 

transmit a file in a web-browser displayable format having the correlated and decoded 
data components (page 5, paragraph 90). 

Regarding claim 20, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 16 above. Furthermore, Maloney et al. 
teach the system, as set forth in claim 16, wherein the network driver captures network 
data packets of the intrusion event in response to the intrusion detection system 
detecting a predetermined data pattern corresponding to the predetermined intrusion 
signature (column 7, lines 23-27, column 2, lines 23-33, column 12, lines 21-42). 

Regarding claim 21, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 16 above. Furthermore, Maloney et al. 
teach the system, as set forth in claim 16, wherein the decode engine decodes the 
captured data from a binary format to a human-readable text format (column 6, lines 8- 
20). 

Regarding claim 22, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 16 above. Furthermore, Maloney et al. 
teach the system, as set forth in claim 16, wherein the decode engine decodes the 
captured data to decoded data components having a data link layer protocol header, a 
network layer protocol header, a network layer protocol data summary, and packet data 
in hexadecimal format (column 4, lines 24-33, column 7, lines 65-67, column 8, lines 1- 
12). 

Regarding claim 23, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 16 above. Furthermore, Maloney et al. 
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teach the system, as set forth in claim 16, wherein the decode engine decodes the 
captured data to decoded data components having an Ethernet header, an IP header, 
an IP data summary, and packet data in hexadecimal format (column 4, lines 24-33, 
column 7, lines 65-67, column 8, lines 1-12). 

12. Claims 2-4, 10-11, and 17-18 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Maloney et al. and Cooper et al. as applied to claims 1, 9 
respectively above, and further in view of Slodowski et al. (US Patent Number: 
6,775,583). 

Regarding claim 2, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Maloney et al. and Cooper et al. do not 
disclose expressly graphically displaying the correlated decoded data components 
comprises graphically highlighting correlated data components of intrusion signature, 
data summary and detailed data. However, Slodowski et al. teach wherein graphically 
displaying the correlated decoded data components comprises graphically highlighting 
correlated data components of intrusion signature, data summary and detailed data 
(column 5, lines 13-43). Therefore, it would have been obvious to one having ordinary 
skill in the art at the time the invention was made to graphically display data, highlighting 
correlated data. One of ordinary skill in the art would have been motivated to do so to 
provide users with an easy to learn, easy to handle, and comfortable data arrangement 
(Slodowski et al., column 2, lines 54-67). 

Regarding claim 3, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Maloney et al. and Cooper et al. do not 
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disclose expressly wherein graphically displaying the correlated decoded data 
components comprises: receiving a user input selecting a displayed data component; 
and graphically highlighting data components correlated to the selected data 
component. However, Slodowski et al. teach wherein graphically displaying the 
correlated decoded data components comprises: receiving a user input selecting a 
displayed data component; and graphically highlighting data components correlated to 
the selected data component using the web browser-based template (column 5, lines 
13-43). Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to graphically display data, highlighting correlated data. 
One of ordinary skill in the art would have been motivated to do so to provide users with 
an easy to learn, easy to handle, and comfortable data arrangement (Slodowski et al., 
column 2, lines 54-67). 

Regarding claim 4, the combination of Maloney et al. and Cooper et al. teaches 
the limitations as set forth under claim 1 above. Maloney et al. and Cooper et al. do not 
disclose expressly wherein graphically displaying the correlated decoded data 
comprises: receiving a user input selecting a displayed data component; graphically 
highlighting the user selected data component using the web browser-based template; 
and graphically highlighting data components correlated to the selected data component 
using the web browser-based template. However, Slodowski et al. teach wherein 
graphically displaying the correlated decoded data comprises: receiving a user input 
selecting a displayed data component; graphically highlighting the user selected data 
component using the web browser-based template; and graphically highlighting data 
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components correlated to the selected data component using the web browser-based 
template (column 5, lines 13-43). Therefore, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to graphically display data, 
highlighting correlated data. One of ordinary skill in the art would have been motivated 
to do so to provide users with an easy to learn, easy to handle, and comfortable data 
arrangement (Slodowski et al., column 2, lines 54-67). 

Regarding claim 10, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 9 above. Maloney et al. and Cooper et 
al. do not disclose expressly wherein graphically displaying the correlated decoded data 
comprises: receiving a user input selecting a displayed data component; and graphically 
highlighting all data components correlated to the selected data component using an 
HTML template. However, Slodowski et al. teach wherein graphically displaying the 
correlated decoded data comprises: receiving a user input selecting a displayed data 
component; and graphically highlighting all data components correlated to the selected 
data component using an HTML template (column 5, lines 13-43). Therefore, it would 
have been obvious to one having ordinary skill in the art at the time the invention was 
made to graphically display data, highlighting correlated data. One of ordinary skill in the 
art would have been motivated to do so to provide users with an easy to learn, easy to 
handle, and comfortable data arrangement (Slodowski et al., column 2, lines 54-67). 

Regarding claim 11, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 9 above. Maloney et al. and Cooper et 
al. do not disclose expressly wherein graphically displaying the correlated decoded data 
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comprises: receiving a user input selecting a displayed data component; graphically 
highlighting the user selected data component; and graphically highlighting data 
components correlated to the selected data component. However, Slodowski et al. 
teach wherein graphically displaying the correlated decoded data comprises: receiving a 
user input selecting a displayed data component; graphically highlighting the user 
selected data component; and graphically highlighting data components correlated to 
the selected data component (column 5, lines 13-43). Therefore, it would have been 
obvious to one having ordinary skill in the art at the time the invention was made to 
graphically display data, highlighting correlated data. One of ordinary skill in the art 
would have been motivated to do so to provide users with an easy to learn, easy to 
handle, and comfortable data arrangement (Slodowski et al., column 2, lines 54-67). 

Regarding claim 17, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 16 above. Maloney et al. and Cooper et 
al. do not disclose expressly wherein the user interface graphically highlights correlated 
data components of intrusion event data, data summary and detailed data. However, 
Slodowski et al. teach wherein the user interface graphically highlights correlated data 
components of intrusion event data, data summary and detailed data (column 5, lines 
13-43). Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to graphically display data, highlighting correlated data. 
One of ordinary skill in the art would have been motivated to do so to provide users with 
an easy to learn, easy to handle, and comfortable data arrangement (Slodowski et al., 
column 2, lines 54-67). 
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Regarding claim 18, the combination of Maloney et al. and Cooper et al. 
teaches the limitations as set forth under claim 16 above. Maloney et al. and Cooper et 
al. do not disclose expressly wherein the user interface is operable to receive a user 
input selecting a displayed data component, and graphically highlights all data 
components correlated to the selected data component using a web-based display 
template. However, Slodowski et al. teach wherein the user interface is operable to 
receive a user input selecting a displayed data component, and graphically highlights all 
data components correlated to the selected data component using a web-based display 
template (column 5, lines 13-43). Therefore, it would have been obvious to one having 
ordinary skill in the art at the time the invention was made to graphically display data, 
highlighting correlated data. One of ordinary skill in the art would have been motivated 
to do so to provide users with an easy to learn, easy to handle, and comfortable data 
arrangement (Slodowski et al., column 2, lines 54-67). 
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Conclusion 

1 3. THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

14. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to David G. Cervetti whose telephone number is (571) 272- 
5861 . The examiner can normally be reached on Monday-Friday 7:00 am - 5:00 pm, off 
on Wednesday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz R. Sheikh can be reached on (571) 272-3795. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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